The vast majority of viruses fail to spread successfully in the
wild, and yet some of them still manage to interest customers and
A recent example of this is W32/Duni-A. At the time of
writing Sophos technical support has received no reports from any
customers infected by this worm, but the curious lengths the virus
writer went to in an attempt to encourage users to double click on
the attachment have raised many eyebrows.
The virus spreads itself via email using a variety of Spanish
language phrases and filenames. The fact that it communicates in
Spanish means that it instantly becomes less likely to spread in
communities and organisations where Spanish is not normally used.
Unlike, for instance, the W32/Sircam worm it is not
a virus which can determine the language of the computer it is
running on and switch between Spanish and English at will.
The author of W32/Duni-A has, however, used some other tricks in
an attempt to spread his creation further.
For instance, the worm sends itself in the form of a .CPL
(Control Panel Extension) file. Many users may not realise that
.CPL files are executable code and should be treated with the same
suspicion as, for instance, .EXE files.
Furthermore, W32/Duni-A uses the commonly encountered
psychological technique of luring the user into double-clicking on
the attachment by suggesting the file is humorous, titillating,
related to an internet security problem or intended for the
Examples include that the attachment claims to contain pictures
of victims of Jack The Ripper and Charles Manson, details of the
latest virus hoaxes and that Osama Bin Laden is president of
Finally, the worm also tries to use the KaZaA file exchange
network to spread itself, suggesting amongst other choices that it
might be pornographic material related to Britney Spears and David
Beckham, cracks for anti-virus software, hardcore sex movies, or
desktop themes related to the movie Spider-Man.
"This worm shows that, despite their best efforts at
psychological subterfuge, the majority of viruses do not spread
successfully in the wild," said Graham Cluley, senior technology
consultant for Sophos Anti-Virus. "Although this worm contains
material which may make it memorable it does not present a threat
to those who practise safe computing and keep their anti-virus
software up-to-date. Users should always be suspicious of
unsolicited email attachments and be wary of downloading unknown
executable content via the internet"